[vim/vim] use-after-free with 'qftf' wiping buffer (PR #19142)

8 views
Skip to first unread message

Christian Brabandt

unread,
Jan 9, 2026, 9:58:31 AM (3 days ago) Jan 9
to vim/vim, Subscribed

Problem: use-after-free with 'qftf' wiping buffer
Solution: Forbid changing the window layout or wiping the buffers.

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/19142

Commit Summary

  • 324f25f use-after-free with 'qftf' wiping buffer

File Changes

(3 files)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142@github.com>

zeertzjq

unread,
Jan 9, 2026, 5:01:35 PM (2 days ago) Jan 9
to vim/vim, Subscribed

@zeertzjq commented on this pull request.

In src/quickfix.c:

> @@ -5097,6 +5097,9 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
 	args[0].vval.v_dict = d;
 
 	qftf_list = NULL;
+	window_layout_lock();
+	curwin->w_locked = TRUE;
+	curbuf->b_locked = TRUE;
⬇️ Suggested change 
-	curbuf->b_locked = TRUE;
+	curbuf->b_locked++;

In src/quickfix.c:

> @@ -5106,6 +5109,9 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
 	    }
 	    clear_tv(&rettv);
 	}
+	curbuf->b_locked = FALSE;
⬇️ Suggested change 
-	curbuf->b_locked = FALSE;
+	curbuf->b_locked--;


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142/review/3645689648@github.com>

zeertzjq

unread,
Jan 9, 2026, 5:21:26 PM (2 days ago) Jan 9
to vim/vim, Subscribed
zeertzjq left a comment (vim/vim#19142)

eval_foldexpr() just uses textlock, which is simpler and safer (but it also prevents changing text). I guess textlock can be used here instead too?


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142/c3730774838@github.com>

Christian Brabandt

unread,
Jan 10, 2026, 12:05:56 PM (2 days ago) Jan 10
to vim/vim, Subscribed
chrisbra left a comment (vim/vim#19142)

. I guess textlock can be used here instead too, or is it too restrictive?

Yeah, I wondered about this too. In principle that should be fine for the quickfixtextfunc. Let me see if this prevents a :bw


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142/c3733227683@github.com>

Christian Brabandt

unread,
Jan 10, 2026, 1:06:31 PM (2 days ago) Jan 10
to vim/vim, Push

@chrisbra pushed 1 commit.

  • 900add5 Enable textlock when evaluating quickftextfunc


View it on GitHub or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142/before/324f25f3971f13de7cdc15f6e731dfbc286412fd/after/900add58dea86e0af5f63cb5350f3c833d6847df@github.com>

Christian Brabandt

unread,
Jan 11, 2026, 2:09:19 PM (12 hours ago) Jan 11
to vim/vim, Subscribed

Closed #19142 via 300ea11.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19142/issue_event/21974308459@github.com>

Reply all
Reply to author
Forward
0 new messages